偏鄉數位應用推動計畫 Open Redirect Vulnerability

Vulnerability Overview

ZDID: ZD-2018-01084
發信 Vendor: The Government of the Republic of China (Taiwan)
Title: 偏鄉數位應用推動計畫 Open Redirect Vulnerability
Introduction: The open redirect vulnerability could be used as part of a phishing scam by redirecting users to a malicious site. Without meaningful validation, a malicious user could create a hyperlink to redirect your users to an unvalidated malicious website

處理狀態

目前狀態

公開

Last Update : 2018/12/15

新提交
已審核
已通報
已修補
已複測
公開

處理歷程

2018/08/05 23:35:52 : 新提交 (由 doctormaster 更新此狀態)
2018/08/06 23:40:37 : 審核完成 (由 HITCON ZeroDay 服務團隊更新此狀態)
2018/08/07 13:02:32 : 修補中 (由 HITCON ZeroDay 服務團隊更新此狀態)
2018/08/07 13:02:33 : 修補中 (由 HITCON ZeroDay 服務團隊更新此狀態)
2018/10/05 03:00:04 : 公開 (由 HITCON ZeroDay 平台自動更新)
2018/12/05 14:34:43 : 複測申請中 (由 HITCON ZeroDay 服務團隊更新此狀態)
2018/12/15 00:08:06 : 確認已修補 (由 doctormaster 更新此狀態)
2018/12/15 03:00:02 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

ZDID：ZD-2018-01084
通報者：doctormaster (doctormaster)
風險：低
類型：未驗證的 URL 轉址 (Unvalidated Redirects and Forwards)

參考資料

攻擊者可利用該漏洞將受害者導向至惡意網站。

OWASP Top 10 2010 - A10 - Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards

Unvalidated Redirects and Forwards Cheat Sheet
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://cwe.mitre.org/data/definitions/601.html

(本欄位資訊由系統根據漏洞類別自動產生，做為漏洞參考資料。)

敘述

The following link structures is the one that allows room for an unvalidated redirect vulnerability:

http://itaiwan.moe.gov.tw/redir.php?url=http://[POC]
http://itaiwan.moe.gov.tw/redir.php?url=https://[POC]

Replace [POC] with any links sans the http:// or https:// prefix, for example:

http://itaiwan.moe.gov.tw/redir.php?url=http://zeroday.hitcon.org (redirects to hitcon)
http://itaiwan.moe.gov.tw/redir.php?url=http://google.com (redirects to google)
http://itaiwan.moe.gov.tw/redir.php?url=http://147.8.2.130 (redirects to Hong Kong University's webmail, whose website is part of my unrelated previous bug bounty report)
http://itaiwan.moe.gov.tw/redir.php?url=https://google.com (https; redirects to google)

The open redirect vulnerability allows a malicious user to create a hyperlink to redirect your users to an unvalidated malicious website. For example a threat actor can complete a critical intermediate step towards hacking your websites/databases or private information by spear-phishing unsuspecting users or admins with an email containing a link (either with an address mimicking yours or simply a Taiwanese ip address string) to a phisher page in place of "[POC]" in order to steal passwords and the like. With the convincing itaiwan.moe.gov.tw redirect link I believe that the hacker's attempts at duping the users to put in passwords or download bad softwares would be more successful.

Furthermore I am able to lengthen id= string in order to further obfuscate the link:

http://itaiwan.moe.gov.tw/redir.php?url=http://google.com&id=3361102398473984273487974597609871230983509470234705702348534957984357849790897089270879087897

I can hex obfuscate google.com into %67%6f%6f%67%6c%65%2e%63%6f%6d to further disguise the link, and add a dummy "urI" (big i at the end, not L) arguments with the value taiwan.gov.tw at the very end of the string.

http://itaiwan.moe.gov.tw/redir.php?url=http://%67%6f%6f%67%6c%65%2e%63%6f%6d&id=3361102398473984273487974597609871230983509470234705702348534957984357849790897089270879087897&urI=taiwan.gov.tw

Rough example of a more "convincing" string that hackers might use in spear phishing, this time with hexed ip 147.8.2.130 at urL string.

http://itaiwan.moe.gov.tw/redir.php?url=http://%31%34%37%2e%38%2e%32%2e%31%33%30&id=3361102398473984273487974597609871230983509470234705702348534957984357849790897089270879087897&urI=taiwan.gov.tw

I hexed http:// prefix this time in urL argument:

http://itaiwan.moe.gov.tw/redir.php?url=%68%74%74%70%3a%2f%2f%31%34%37%2e%38%2e%32%2e%31%33%30&id=3361102398473984273487974597609871230983509470234705702348534957984357849790897089270879087897&urI=taiwan.gov.tw

If a state sponsored hacker is aware of this he will exploit it using the methodology I describe above to craft a bad link and infect/phish his victims with that.

修補建議

1 Simply avoid using redirects and forwards.
2 If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.
3 If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
4 It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
5 Sanitize input by creating a list of trusted URL's (lists of hosts or a regex).
6 Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

Reference: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet#Preventing_Unvalidated_Redirects_and_Forwards